Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".Rather than get into details here, I urge you to check out this announcement post. It's a massive upgrade, and well worth checking out. -E

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

VPN from Checkpoint to Cisco ASA - Route based

Hi All
First of all, I need to know if on a Checkpoint Firewall, is it still the case that if you build a VPN based on community etc, you can only have 1 VPN domain for the whole firewall, so for example if I have a Checkpoint Firewall that I need to connect to 2 different sites, do they all use the same source network to build the vpn tunnels? can this not be changed on a per vpn basis? for example on my Cisco ASA's I can use whatever source network I want to build the tunnel.

If this is still the case, then is my only option to use the route based VPN option on the Checkpoint?

If so, can I use the Checkpoints external IP as the source and the peers External IP as the destination IP to build the VPN tunnel?, would this be done by creating a VPN interface on Gaia, use unnumbered and select the outside interface, put the peer as the vpn peer public IP, would you then add a route on the firewall pointing whatever traffic you want through it?
I believe if you do this the checkpoint would present the 0.0.0.0 network as a subnet ID to my peer? my peer would be an ASA. The 0.0.0.0 on my asa may cause some issues so I don't really want it to do that.

Re: VPN from Checkpoint to Cisco ASA - Route based

route based vpn (VTI in checkpoint) uses an empty encryption domain with basically a 0.0.0.0/0 for src and dst tunnel. Anything routed to the interface would be sucked into the vpn. Are you mixing domain and route based? I haven't done it myself but i *think* VTI just basically ignore encryption domain.

Re: VPN from Checkpoint to Cisco ASA - Route based

Technically, you can have two encryption domains per firewall object: one for site-to-site, and one for remote-access. This doesn't really map to anything in the Cisco world, though. The encryption domain needs to contain every network which will ever trigger VPN negotiation, but the firewall only negotiates what is actually used. That is, you can have 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24, and so on in your encryption domain and 192.168.0.0/24 in a peer's, and if you only have rules to allow 10.0.1.0/24 to reach 192.168.0.0/24, only that will be proposed.

You can also NAT traffic over a VPN such that dissimilar networks behind the Check Point look the same to different peers. To do this, you need the real network and the NATed network in the encryption domain. The real network is needed to trigger the early encryption decision, then NAT happens, then the NATed network is needed for the negotiation.

You can control VPN negotiations in great detail using user.def, but I strongly recommend controlling them with the encryption domain if you are able. You will generally get the best results doing this by setting ike_use_largest_possible_subnets to false. Directions are on Check Point's support site.

Edited to add: Forgot to mention. With ike_use_largest disabled, your VPN negotiations should match exact object definitions in your encryption domains. Using the earlier networks, that means if your rule allows 10.0.1.2 to reach 192.168.0.37, the negotiation will be 10.0.1.0/24 to 192.168.0.0/24. If you have 10.0.1.0/25 in your encryption domain, that would be used instead.